May 2000: Web worries worsen

The so-called Love Bug virus – along with several Web site disruptions that have grabbed worldwide media attention – is driving buyers to seek new Internet insurance products, brokers, insurers and risk managers report.

While Love Bug-related claims had yet to materialize as of late last week, the publicity surrounding the e-mail-borne virus has made more corporate leaders aware of the business risks associated with the Internet, said Emily Freeman, practice leader for Marsh Inc.’s e-Business Risk Solutions in San Francisco.

Therefore, more risk managers, either on their own or at the direction of upper management, are shopping for security and risk transfer solutions.

Some, however, may already have coverage appropriate for their risks under their traditional property policies, one insurer said. In some such cases, additional coverage may not be necessary, the insurer said.

Other insurers, meanwhile, say they expect virus and hacker attacks to continue and even to increase in frequency.

Even before the Love Bug attack, 90% of the respondents to a survey on computer crime and security at large corporations and government agencies reported that they had detected security breaches within the last 12 months, with 70% reporting serious security breaches.

Nearly 300 of the respondents, or 42% of all respondents, reported the amount of their losses, which totaled nearly $266 million.

The survey by the San Francisco-based Computer Security Institute, which was released in March, was conducted with the help of the Federal Bureau of Investigation.

As for the Love Bug, it spread rapidly May 4, crippling e-mail systems around the world and destroying some computer files. Investigators tracked the source of the virus to the Philippines.

Published estimates have placed potential Love Bug losses as high as $10 billion. Several insurers say, however, that it is impossible to verify such a number or determine the exact extent of losses.

For one reason, they note, many companies may prefer to keep the size of their losses hidden to protect their customer base and stock market valuations.

Insured losses from the Love Bug virus are expected to be minimal. Relatively few of the new breed of insurance policies for Internet risks have been sold to date that would cover such losses, experts say.

In addition, claims under traditional property insurance policies with business interruption endorsements for viruses also are likely to be minimal, said Michael Donovan, a partner at Hancock Rothert & Bunshoft L.L.P. in San Francisco who has served as an adviser to insurers developing Internet products.

Mr. Donovan said he believes that most companies did not suffer business disruptions long enough to meet the time criteria for coverage under the business interruption components of their property policies.

The Love Bug “seems to be just a major nuisance for IT departments,” he said. Most losses generated are likely the soft costs associated with restarting companies’ e-mail systems. Those costs are hard to quantify, and neither traditional property policies nor some of the new Internet products will cover such costs, he explained.

The news generated by the virus and its effects, however, is spreading interest in the new policies among insurance buyers.

“The Love Bug has definitely increased submissions and increased the desire of applicants to close the deal,” said Ty R. Sagalow, executive vp and chief operating officer for AIG Global e-Business Solutions in New York.

AIG is receiving five to 10 submissions a week for its new Internet-related coverage, Mr. Sagalow said. To date, it has sold about a dozen of the new policies.

After denial-of-service attacks struck many well-known e-commerce sites in February, the percentage of policy shoppers turned buyers climbed to 25% from 5%, said Brad Gow, assistant vp-information and technology products group for ACE USA Inc. in Philadelphia. Since the Love Bug virus surfaced, the number has climbed to 30% and could shoot up to 50% by year's end, he predicted.

“Definitely, risk managers have a big concern about these exposures, especially in light of the `I love you' virus,” said Karen Banks, director of risk management for Shaklee Corp. in Pleasanton, Calif. Ms. Banks noted that sessions on Internet risks were among the most heavily attended at the recent Risk & Insurance Management Society Inc. conference, held in San Francisco.

Interest in minimizing Internet-related risks is not limited to e-commerce companies. Most coverage submissions are coming from traditional companies whose core business is not conducted on the Internet, insurers and brokers say.

Many risk managers are just learning the extent of their Internet exposures and are exploring measures to address them, said Eugene F. Kiernan, director of risk management and insurance for National Semiconductor Corp. in Sunnyvale, Calif.

Because National Semiconductor is a manufacturer, Mr. Kiernan said he previously believed it had few Internet exposures, especially compared with companies that conduct all their business online.

That view changed, however, after the risk manager teamed up with his information technology department to assess its Internet risks. The joint risk assessment found that National Semiconductor's Internet exposure is much more varied than he had earlier assumed.

Through this process, as Mr. Kiernan is learning more about his company's Internet risks, National Semiconductor's IT experts are grappling for the first time with insurance concepts.

Mr. Kiernan said one IT professional told him, " `I thought my rental contract was complicated until I read these Internet policies.' "

National Semiconductor's broker is helping to audit the company's Internet exposures before recommending whether insurance coverage is desirable and, if so, which products would best fit its needs, Mr. Kiernan said.

As risk managers become more involved in such issues, they are likely to find themselves interacting with a host of new vendors.

There is going to be exponential growth in demand from risk managers, predicted June Felix, president and chief executive officer of CertCo Inc., a New York-based company that provides security and risk management consulting for online business-to-business transactions. CertCo is currently a partner with AIG in its new Internet coverage offerings.

According to AIG’s Mr. Sagalow, one complaint now being heard from risk managers is that the coverage available under emerging Internet insurance policies varies widely, causing confusion over exactly what they cover.

Some of the products likely will not be adequate to cover all the risks a company faces, he said.

For some policyholder, however, traditional property insurance may respond to losses caused by an Internet e-mail virus, one insurer says.

The array of new insurance products may not even be necessary, because coverage for viruses could be available under some traditional property policies, said Thomas R. Cornwell, vp of the Technology Insurance Group for Chubb & Son Inc. in Warren, N.J.

If a property insurance policy includes media or data coverage with vandalism as a peril and the policy has a business interruption component, then coverage could be available for virus exposures, Mr. Cornwell explained.

In fact, some new Internet products exclude coverage for viruses if the risk is already covered under such a property policy, he added.

Risk managers need to assess just how much Internet-related business risk a company can withstand and the potential impact on its balance sheet if such losses are uninsured, Marsh’s Ms. Freeman said.

A company needs risk control, in the form of security measures, she said. But those measures can have limitations, locking hackers and security experts in a constant battle to one up each other, she said. Therefore, Ms. Freeman advises that risk transfer also be considered.

The above article was first published in the May 15, 2000, edition of Business Insurance. To access complete, searchable copies of Business Insurance going back the magazine’s launch in 1967, click here.